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Amendmepts to the Spe cification 
Please replace the paragraph on Page 8, lines 14-17 with the following marked-tip replacement 
paragraph: 

~ Accordingly, v*at is needed is a technique for providing consistent, end-to-end 
protection for user datagrams throughout the network path they travel, whether over secure or 
non-secure networks, while still allowing the packet ewrtest coalent to be surfaced in cleartext 
form in security gateways. — 

Please replace the paragraph on Page 9. lines 4-5 with the following marked-up replacement 
paragr^h: 

~ Another object of the present invention is to provide this technique in a manner that 
allows the packet €«it«rt content to be surfeced in cleartext fonn in security gateways. ~ 

Please replace the paiagr^h on Page 19, lines 5-14 with the following marked-up replacement 



- As stated earlier, security breaches may occur once a data packet ent«s the intranet 
environment of Fig. 3 because the data is transmitted in un-encrypted, un-protected form. Fig. 4 
illustrates the improved remote access environment provided when using the present invention, 
whereby this security concern has been addressed. To transmit data between remote host 405 . 
and server 440, through intermediate security gateway [[425]] 420, two secure tunnels are now 
used. Tunnel 1 (element 41 5) securely transports data through the Intemet 410, in a manner 
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sunilar to that of the tunnel 315 in Fig. 3. Tininel 2 (element 435) provides secure transport 
through the intranet 430. Security gateway 420 stiU has access to the data in cleartext form when 
using these two tunnels, retaining the abUity to provide services (represented by element 425) of 
Ae type vAdch were available in the environment of Fig. 3. - 

Please replace the paragraph on Page 21 , lines 6- 1 4 with the foUowing maiked-up replacement 
paragraph: 

- The improved business partner computing environment provided when using the 
present invention is shown in Fig. 8. As in Fig. 6, three cascaded tunnels 815, 835, 855 are 
established. Business partner A 805 securely transmits data through network 810 (which may be 
the Internet or an intranet) to security gateway 820 using the first tunnel 8 15, which Security 
^tewav820 securely transmits data through the Internet 830 to security gateway 840 using the 
second tunnel 835, and security gateway 840 securely transmits the data through network 850 
(which may be the Internet or an intranet) to business partner B 860 using the third tunnel 855. 
End-to-end data protection is thereby provided, while still enabling content inspection services 
Cdtesfeted-ilhKtrated as elements 825. 845) to be perfonned in the security gateways using the 
cleartext content ofAe data packets. - 

Please replace the paragraph on Page 23. lines 8-9 with the following marked-up replacement 
paragraph: 

_ . Client 905 will fill the role of "IKE Initiator" for both Phase 1 and Phase 2 
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negotiations with ^ gateway for tunnel pair 1 (shown at 910, 91 5) - 

Please replace the paragraph on Page 25, lines 1-21 with the following marked-up replacement 
paragraph: 

- • When a data packet arrives from the client at the gateway, the gateway can decrypt 
that packet using the decryption key corresponding to the IPSec S A (see elemoit 91 5 of Fig. 9) 
established with the client on the tunnel 1 side. At this point in the process, the gatcw^ is in 
possession of a cleartext copy of a datagram addressed from 9.1 .2.3 to 8. 1 ,2.3. In the prior art, 
the gateway would sin^jly process this datagram as a conventional datagram to be forwarded. 
However, it is desirable to continue protecting the datagram on its next network segment Thus, 
the present invention enables additional security policy information to be \jsed wherein the 
dats^am will be forwarded on a secxire cascaded tunnel on die tunnel 2 side of the gateway. The 
present invention therefore provides an additional element in the specification of the KEAPSec 
policy(to be stored inthe gateway's ingress and egress SPDs 1010, 1035) that will direct the 
gateway to either use an existing cascaded tuimel, or if one is not available, to establish a pair of 
IKE and IPSec security associations that will provide this next cascaded tunnel. This additional 
policy element is specified in the form of a "cascading-enabled" flag which will be included m 
the purity associations identified by the SPIs akeady established for each direction of 
transmission. When the cascading-enabled flag is set on, this indicates that the d at a gr a m is to be 
sent on a cascaded tunnel as it leaves the gateway's egress interface. Because the DDci and IDcr 
payloads are identical for each direction of transmission, the inclxision of an identical "cascading- 
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enabled" flag in the security associations for both direetieB directions of transmission will also 
handle the cascading of S A tunnels for traffic flowing in the opposite direction, &om server 935 
toclimt905. - 
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